Rule: Risky code usage (risky-code)

[ddjain]

Rule: Risky Code Usage Detection

Overview

Identifies potentially dangerous code patterns that could lead to security vulnerabilities or system issues.

Label Metadata

• Label Name: risky-code
• Color: d73a4a (Red)
• Description: Potentially risky code patterns detected (eval, exec, etc.)

Detection Logic

Analyze diff for dangerous code patterns:

JavaScript/TypeScript:

• eval(...), new Function(...)
• setTimeout(code) with string
• child_process.exec(...) with user input

Python:

• eval(...), exec(...)
• os.system(...), subprocess.Popen(..., shell=True)
• pickle.loads(...) with untrusted input

Shell/Bash:

• Command injection patterns
• Unsanitized command execution

SQL:

• Raw SQL concatenation (not parameterized)

Regex Patterns (Language-Agnostic)

• `eval(
• `exec(
• `new Function(
• `os.system(
• `child_process.exec(

Example Code That Triggers

eval(userInput);
new Function('code', userCode);
child_process.exec(`rm -rf ${userDir}`);

eval(user_input)
os.system(f"rm -rf {user_dir}")

Example Code That Does NOT Trigger

const func = new Function('x', 'return x + 1'); // static code
safeExec(command); // safe wrapper

Test Cases Needed

• Detects eval usage
• Detects exec usage
• Detects os.system usage
• Ignores safe wrappers (if identifiable)
• Language-specific detection
• Handles commented-out risky code (should ignore)

Edge Cases

• Safe wrappers around eval/exec (hard to detect)
• Test files using risky patterns (should still flag?)
• Documentation/comment containing risky patterns (should ignore)

Integration Notes

• High-priority security rule
• Should flag for security review
• Consider combining with security-change rule

Priority

High - Critical for security

---

Status: Not implemented
Category: Security & Sensitive